Overview

overview

10

Static

static

3

toolspub2(1).exe

windows7-x64

10

toolspub2(1).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    22s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-01-2024 05:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    toolspub2(1).exe

  • Size

    204KB

  • MD5

    42fd43493fe458c14357e791d574da30

  • SHA1

    cc8add3c129d5a6ea818ff818e6dcf83dbb61691

  • SHA256

    0a995df69165131d1a7a2c734f8f1b221338b2f9754ee1863cb8fd7fbdd296f7

  • SHA512

    49aed3b2bb525f285928d0aecde5d4189356c1374a5ab525e63442da6fe321c278b06216a0a739357bba6028f087d77070cb4d06765ac34c9def6fc2d7a8c706

  • SSDEEP

    3072:ZkIknM3Jq/AmlEkJiAj1K/2sIMOfbAichhFye+Uv3+RLzT+cmk:ZkIyXlEdOfEich3yIAzCcL

Score
10/10
smokeloaderup3backdoorevasiontrojan

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 2 IoCs
  • NSIS installer 8 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\toolspub2(1).exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2(1).exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4040
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 368
      2⤵
      • Program crash
      PID:4548
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4040 -ip 4040
    1⤵
      PID:1476
    • C:\Users\Admin\AppData\Local\Temp\93D4.exe
      C:\Users\Admin\AppData\Local\Temp\93D4.exe
      1⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:4084
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        2⤵
          PID:2396
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1140
            3⤵
            • Program crash
            PID:4992
      • C:\Users\Admin\AppData\Local\Temp\98B7.exe
        C:\Users\Admin\AppData\Local\Temp\98B7.exe
        1⤵
          PID:4340
          • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
            "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
            2⤵
              PID:4908
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2396 -ip 2396
            1⤵
              PID:5016

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\93D4.exe
              Filesize

              64KB

              MD5

              8eaa9843324e8c21c964850a9a0c0f0a

              SHA1

              9430a23ce885526cab53df84ec74f295d0dbae50

              SHA256

              2c18da7002d0c0b493e0fc3b2e115ac05f941070cdd9143c6c8d2661140ffdbc

              SHA512

              80074e5016a4e8ccaec4b39d3bcc6e95ba540ffbdb413d95957ab93dbdc4fbc3991d9fdb60667f6a0d595b37b1ff13de367769de7f639aebf0858689c9ba8194

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\93D4.exe
              Filesize

              80KB

              MD5

              6986d04d6041e1ab0f6056f914ddc45b

              SHA1

              c13a37f3ea7fbde322365bebc708ea91217adbac

              SHA256

              bcddd33e150637ae909529cb77bf7dfec3283ec46b70d86900c80a657787521e

              SHA512

              27b707fcac8312fba4d97048a1c9205d5260af3e7a5d86646baf32ae79970761df7159cafe3d1186d6ad0854db682a480f2bdb7d43a2aaa6296f03443588f00f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\98B7.exe
              Filesize

              146KB

              MD5

              7d418894895cb6bf3345c3809e86f7d4

              SHA1

              a3778c15a0d088de8e8afe86a3a676f4e830cfde

              SHA256

              236ce98d054799da290d5b59bc8be1599fbdb56275ab0924ead74fe4a6e13ac8

              SHA512

              c1715da074e49db6ed62426c500ad8922c65b460e8fde5408b4cb5ab2de3d3a764cc70dcff779fcd16971639800faf0d0a4174fca279c15d6e256afed1830f48

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\98B7.exe
              Filesize

              151KB

              MD5

              e4a080509d3f5591714999aa0db935d3

              SHA1

              e630bea5d793b80c90423f30314e5da861601d84

              SHA256

              99616f7f2d5d0173b5eb206d5fb542ee64ada2eaf56e9b6c824fd667b3fc3d70

              SHA512

              0f31f24a95df972876d57b2b865ad3ee888af5e3a80f3885c215ac5f828b5ef1ae0ffc05377262ee2c27956d105fad39557ebdd2065049faff85e3de2096cd0a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
              Filesize

              135KB

              MD5

              08cec90a3f6e0c0e31460b6339ab75f7

              SHA1

              00737b9dc9ee201d588995556410f07225b52da9

              SHA256

              772b5b1fd7776c86bb1ed3fa51099950e4c74de3bf68360c9d90641bcae12577

              SHA512

              c314fbc8d3706bcbd40f687afaa083abb09ed4b555eb08960cf78b0c179de8ae413e1a2b983b87e6602a4daa40cc56a487e8ddc8c9931b975df2819e8317736b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
              Filesize

              99KB

              MD5

              359a0339d1be9454f8c9819b25bd7999

              SHA1

              639df44bff479f08bdd7dc369ad2d2f5670c3e4f

              SHA256

              74aa4717580aea2d2a2dbde15db4cfd17d55a80907251e57ad7f501f4e211b4d

              SHA512

              55ff503e0a4bb6d1a4a7ca43e2f5059b8399544d19db3933b0202c13ee5902e73d719853061b308e50fdc8746c1a6e0a780c937110a83936dcbae972212ecf49

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
              Filesize

              121KB

              MD5

              724105511047c758a8b1ae7a79c2ebbf

              SHA1

              9d3985ea0181ba6c95ccddb79f64e06417bcf852

              SHA256

              decaa96650e1d66b54692a597cb69a1f3a081865c9ca500ed1fd0ce997d3b4b3

              SHA512

              12764e89634f8b8d1c08db1ababc9c01bce954d70ae6410c122c5711a100124ae765747ff974e4fbdbcad61067892200ed16c1f1a25f9df174783cc4a53e57d2

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\lib.dll
              Filesize

              72KB

              MD5

              2aaa4f051fad1a241b2350466d5edff5

              SHA1

              401775131d54ab1423316cc9d1d1d936d20cc3c9

              SHA256

              1ab5c2df45eb90db9a1e738cc2a188539a23b5b349e90e08c65062af1f536ad1

              SHA512

              673edb0945080c9fa97e4803a05097419804b0c4d4277ddea42cca0381f9fa1669628984c28bf432784cf18e3f93698f9c7b5fed7174650428bc7c68d5f28214

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nsc99DF.tmp\System.dll
              Filesize

              12KB

              MD5

              dd87a973e01c5d9f8e0fcc81a0af7c7a

              SHA1

              c9206ced48d1e5bc648b1d0f54cccc18bf643a14

              SHA256

              7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

              SHA512

              4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

              Download Submit

            • memory/2396-28-0x0000000000800000-0x00000000008C4000-memory.dmp

              Filesize

              784KB

              Download

            • memory/2396-31-0x0000000001050000-0x0000000001051000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2396-62-0x0000000000B60000-0x0000000000F93000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/2396-60-0x0000000002B70000-0x0000000002B72000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2396-59-0x0000000000800000-0x00000000008C4000-memory.dmp

              Filesize

              784KB

              Download

            • memory/2396-63-0x0000000000800000-0x00000000008C4000-memory.dmp

              Filesize

              784KB

              Download

            • memory/2396-24-0x0000000000B60000-0x0000000000F94000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/2396-26-0x0000000000B60000-0x0000000000F94000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/2396-30-0x0000000000800000-0x00000000008C4000-memory.dmp

              Filesize

              784KB

              Download

            • memory/2396-27-0x0000000000800000-0x00000000008C4000-memory.dmp

              Filesize

              784KB

              Download

            • memory/3408-4-0x0000000002EF0000-0x0000000002F06000-memory.dmp

              Filesize

              88KB

              Download

            • memory/4040-3-0x0000000000400000-0x0000000000438000-memory.dmp

              Filesize

              224KB

              Download

            • memory/4040-2-0x00000000005E0000-0x00000000005E9000-memory.dmp

              Filesize

              36KB

              Download

            • memory/4040-1-0x00000000005F0000-0x00000000006F0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4040-7-0x0000000000400000-0x0000000000438000-memory.dmp

              Filesize

              224KB

              Download

            • memory/4084-16-0x00000000022D0000-0x0000000002336000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4084-18-0x0000000077044000-0x0000000077045000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4084-14-0x0000000000010000-0x000000000006D000-memory.dmp

              Filesize

              372KB

              Download

            • memory/4084-19-0x00000000022D0000-0x0000000002336000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4084-17-0x0000000000730000-0x000000000073D000-memory.dmp

              Filesize

              52KB

              Download

            • memory/4084-22-0x00000000022D0000-0x0000000002336000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4084-39-0x00000000022D0000-0x0000000002336000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4084-23-0x0000000002830000-0x000000000283C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4084-21-0x0000000002800000-0x0000000002801000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4340-38-0x0000000000360000-0x00000000008F6000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4340-46-0x0000000000360000-0x00000000008F6000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4908-58-0x0000000072580000-0x0000000072C97000-memory.dmp

              Filesize

              7.1MB

              Download

            • memory/4908-64-0x0000000072580000-0x0000000072C97000-memory.dmp

              Filesize

              7.1MB

              Download